Revealed during SANS Institute’s much-anticipated annual RSA keynote, this year’s insights highlight emerging threats from ICS ransomware to AI regulatory risks.
Heather Barnhart presenting the importance of logging.
Bethesda, MD, May 01, 2025 (GLOBE NEWSWIRE) — Each year, the SANS Institute’s must-see keynote session at RSA Conference delivers a forward-looking briefing on the most critical and emerging attack vectors in cybersecurity. The 2025 session surfaced five new attack techniques that are reshaping how enterprises must think about cyber risk. Moderated by SANS Technology Institute President Ed Skoudis, the 45-minute session brought together top SANS experts to assess how today’s attackers are escalating both their technical sophistication and impact on business operations.
With a real-time pulse on the cyber threat landscape, SANS experts have historically raised awareness of emerging attack techniques well before they become mainstream. For example:
• In 2017, Ed Skoudis anticipated how ransomware combined with cryptocurrencies would become a powerful tool for threat actors. In 2019, he analyzed the rise of attacks from the cloud against the cloud. • In 2020, Heather Barnhart predicted the rise in weaponized malware utilized by nation states against mobile devices, as we saw with Pegasus spyware.• In 2018, James Lyne discussed growing trends in malware attacks focused on disrupting Industrial Control Systems (ICS) and utilities.• In 2023, Stephen Sims warned that threat actors would manipulate AI tools to amplify the velocity of ransomware campaigns and identify zero-day vulnerabilities in complex systems.
The following five attack techniques highlighted in this year’s keynote session reveal a troubling convergence of misconfigured cloud environments, rising operational risk in industrial control systems, complex regulatory dynamics around artificial intelligence (AI), and more. Attendees left with critical insights and actionable recommendations to help their organizations anticipate threats, mitigate risk, and strengthen resilience across cloud, operational, and regulatory domains in 2025.
Attack Technique #1: Authorization Sprawl in Cloud and SaaS Environments
Presented by Joshua Wright, SANS Faculty Fellow
As enterprise cloud adoption accelerates, so too does the complexity of identity and access management. Authorization sprawl—where users hold redundant or excessive permissions across cloud, SaaS, and hybrid environments—has become a critical vulnerability. These overextended privileges create hidden attack paths that adversaries can exploit without raising immediate alarms.